Digital Personal Data Protection Bill, 2025 – Draft Release

The Digital Personal Data Protection Bill, 2025, is currently in the draft stage and has been introduced in the Indian Parliament. It is undergoing review and consideration by the Indian government and various stakeholders. The bill has been released for public consultation and feedback, and it is expected to undergo further revisions and amendments before it is passed into law.

In this blog, we will delve into the key aspects of these rules:

Data Fiduciaries

The Digital Personal Data Protection Rules, 2025, introduce the concept of data fiduciaries, who are entities that determine the purpose and means of processing personal data. These fiduciaries are responsible for ensuring that personal data is processed in a lawful, transparent, and fair manner. They must implement robust technical and organizational measures to protect personal data from unauthorized access, disclosure, or breach. This shift in responsibility underscores the importance of accountability in data protection.

Consent Managers

The rules also introduce the concept of consent managers, which refers to entities that manage the consent of data principals (individuals whose data is being processed). Consent managers are responsible for maintaining records of consent, ensuring that data principals can access and manage their consent easily, and preventing conflicts of interest. For instance, a consent manager may be responsible for obtaining consent from users before sharing their personal data with third-party advertisers.

Data Retention

The Digital Personal Data Protection Rules, 2025, specify the duration for which different classes of data fiduciaries can retain personal data. The rules provide for the following retention periods:

• 6 months: For data fiduciaries that process personal data for the purpose of providing goods or services, the retention period shall not exceed 6 months from the date of collection.
• 1 year: For data fiduciaries that process personal data for the purpose of marketing or advertising, the retention period shall not exceed 1 year from the date of collection.
• 2 years: For data fiduciaries that process personal data for the purpose of research or statistical analysis, the retention period shall not exceed 2 years from the date of collection.
• 5 years: For data fiduciaries that process personal data for the purpose of healthcare or medical research, the retention period shall not exceed 5 years from the date of collection.

Exceptions to Data Retention

The rules provide for certain exceptions to the data retention periods specified above. These exceptions include:

• Archiving: Personal data may be retained for a longer period if it is archived for historical, statistical, or scientific research purposes, or for the purpose of complying with a legal obligation.
• Anonymization: Personal data may be retained for a longer period if it is anonymized, meaning that it can no longer be linked to a specific individual.
• Consent: Personal data may be retained for a longer period if the data principal has provided consent for such retention.
• Legal Obligation: Personal data may be retained for a longer period if it is necessary to comply with a legal obligation.

Deletion of Personal Data

The rules specify that a data fiduciary shall delete personal data that is no longer necessary for the purpose for which it was collected, unless an exception applies. The rules provide for the following circumstances in which personal data may be deleted:

• Withdrawal of Consent: If the data principal withdraws their consent for the processing of their personal data, the data fiduciary shall delete the personal data unless an exception applies.
• Completion of Purpose: If the purpose for which the personal data was collected has been completed, the data fiduciary shall delete the personal data unless an exception applies.
• Expiry of Retention Period: If the retention period specified in the rules has expired, the data fiduciary shall delete the personal data unless an exception applies.

Data Retention Schedule

The rules require data fiduciaries to maintain a data retention schedule, which shall include the following information:

• Personal Data Category: A description of the type of personal data being collected.
• Retention Period: The period for which the personal data will be retained.
• Purpose: The purpose for which the personal data is being collected.
• Storage Location: The location where the personal data will be stored.
• Security Measures: The security measures that will be taken to protect the personal data.

Review and Update of Data Retention Schedule

The rules require data fiduciaries to review and update the data retention schedule at least once every 6 months to ensure that it remains accurate and up to date.

A New Era of Data Protection

The Digital Personal Data Protection Rules, 2025 (DPDP or Data Protection bill), mark a significant milestone in the journey towards robust data protection in India. These rules are designed to protect the personal data of individuals, promote transparency and accountability, and foster trust in the digital economy. As we navigate this new landscape, it is essential for individuals and organizations to understand their rights and responsibilities under these rules.

Key Takeaways:

• The Digital Personal Data Protection Rules, 2025 introduce new roles like data fiduciaries and consent managers to make sure data is handled responsibly and transparently.
• These rules also set time limits for how long different types of data can be kept by data fiduciaries.
• Some organizations, like hospitals and schools, are exempt from certain rules about handling children’s data.
• Overall, the rules encourage transparency and responsibility, giving people more control over their personal information.